Digital Personal Data Protection Bill
On 5th July 2023, the Digital Personal Data Protection Bill received clearance from the Union Cabinet, signaling all set to be introduced in the upcoming Monsoon Session of Parliament. Alongside this bill, the Indian Telecommunications Bill, which seeks to revamp the existing legal framework for telecom firms, may also be tabled. The DPDP Bill aims to establish norms for the management of personal data, including explicit consent requirements for data collection and usage.
What is the Digital Personal Data Protection (DPDP) Bill?
The Digital Personal Data Protection (DPDP) Bill is a legislation aimed at governing the use and protection of personal data in India. The bill outlines the rights and responsibilities of both citizens (Digital Nagrik) and data fiduciaries, with the goal of ensuring lawful and transparent data collection and usage.
Rights and Principles
The DPDP Bill is based on six principles that govern the data economy. The first principle emphasizes the lawful collection and usage of personal data, ensuring protection from breaches and maintaining transparency. The second principle highlights that data collection must have a legal purpose and data should be securely stored until the purpose is fulfilled. The third principle focuses on data minimization, advocating for the collection of only relevant data for the predefined purpose. The fourth principle emphasizes data protection and accountability, while the fifth principle stresses the importance of data accuracy. The final principle addresses the reporting of data breaches, emphasizing fair and transparent reporting to the Data Protection Boards.
Data Protection Board and Complaint Mechanism
Under the DPDP Bill, individuals have the right to lodge complaints with the Data Protection Board of India, comprising government-appointed technical experts, if they suspect unauthorized use of their personal data. The board will initiate investigations into breaches reported by individuals.
Adoption of EU Regulations and Exceptions
The DPDP Bill draws inspiration from the EU’s General Data Protection Regulation (GDPR) and encompasses 23 instances where consent for data recording may not be feasible, such as emergencies or natural disasters.
Penalties and Mitigation Measures
Entities found guilty of data breaches may face penalties of up to ₹250 crore per breach, with a potential upward revision to ₹500 crore. However, voluntary admission of a breach coupled with penalty payment can serve as a mitigation measure to avoid litigation. Individual offenses carry fines starting from ₹10,000.
Grievance Redressal and Compensation
Globally, a significant majority of cases are resolved at the grievance redressal stage. While compensation-seeking parties must resort to the judicial process, they can request their own information through the Right to Information (RTI) Act.
Concerns and Exemptions
Experts have raised concerns about exemptions granted to courts and law enforcement agencies, which are exempt from certain requirements when processing personal data for the prevention, detection, investigation, or prosecution of offenses. Critics argue that this could hinder accountability and transparency.
Union Minister of State for Electronics and Information Technology Rajeev Chandrasekhar stated that the DPDP Bill will bring about significant behavioral changes among platforms in India that have historically exploited or misused personal data. He expressed confidence in the bill’s effectiveness in driving positive changes and emphasized its comprehensive nature.
Evolution of the Bill and Expert Dissent
The DPDP Bill’s journey began in 2017 following the landmark K.S. Puttaswamy vs. Union of India judgment, which recognized the right to privacy as a fundamental right. However, retired Justice B.N. Srikrishna, who led the first committee for drafting the data protection bill, has disowned the latest version, expressing concerns over government authority and inadequate protection of individuals’ data privacy rights.
The clearance of the Digital Personal Data Protection Bill by the Union Cabinet marks a significant step toward safeguarding personal data and establishing guidelines for its collection and usage. The bill aligns with global data protection norms, drawing inspiration from the EU’s GDPR. However, concerns have been raised about exemptions for courts and law enforcement agencies and the need for stronger protection of individuals’ privacy rights. As the bill progresses through Parliament, it is crucial to strike a balance between data protection and the efficient functioning of law enforcement and judicial processes.